Overview

overview

10

Static

static

8be791cfaf...52.dll

windows7_x64

10

8be791cfaf...52.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8be791cfaf6dbe2f1022406cbab97c3f53a084abd5b7e2ede043bd10de268352.dll

  • Size

    255KB

  • MD5

    0c08b1960c39c2c9524dba1ffe86753c

  • SHA1

    8e1f2c5aae34110d22b8e93277e2985473b3d2c9

  • SHA256

    8be791cfaf6dbe2f1022406cbab97c3f53a084abd5b7e2ede043bd10de268352

  • SHA512

    5f7eb2dfe282cbd90746f0ea810645ebe05d649565b2002dac0bb83a0ac305e42d6ddda7952246c5cc10027332a9a7afa618dfb1101472764468b9767f72e2fc

Score
10/10
zloaderdllobnovacookiesfixbotnetpersistencetrojan

Malware Config

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

cookiesfix

C2

https://fdsjfjdsfjdsdsjajjs.com/gate.php

https://idisaudhasdhasdj.com/gate.php

https://dsjdjsjdsadhasdas.com/gate.php

https://dsdjfhdsufudhjas.com/gate.php

https://dsdjfhdsufudhjas.info/gate.php

https://fdsjfjdsfjdsdsjajjs.info/gate.php

https://idisaudhasdhasdj.info/gate.php

https://dsdjfhdsufudhjas.pro/gate.php

https://dsdjfhd9ddksaas.pro/gate.php
Attributes
  • build_id

    26

rc4.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • Blocklisted process makes network request 7 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8be791cfaf6dbe2f1022406cbab97c3f53a084abd5b7e2ede043bd10de268352.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8be791cfaf6dbe2f1022406cbab97c3f53a084abd5b7e2ede043bd10de268352.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Blocklisted process makes network request
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:548
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe bee5dc6055c07e9945c58b68be8f4aec u3pCchQsYkujnCz7FYwSeA.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:3916

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/548-132-0x0000000000820000-0x0000000000853000-memory.dmp

    Filesize

    204KB

    Download

  • memory/548-135-0x0000000000820000-0x0000000000853000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3096-130-0x0000000003350000-0x0000000003351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3096-131-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download